Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Deep Planner
v1.0.2A meta-skill that activates before complex tasks to enforce structured planning, step-by-step execution, and self-reflection. Works like Claude Code's TodoLi...
⭐ 1· 58·0 current·0 all-time
by@jzw6
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's stated purpose (planning/supervision) matches the instructions: generating plans, supervising multi-step tasks, and delegating to other skills. Persisting a todo list to disk is coherent for a planner. However, the metadata lists no required config paths while the instructions explicitly read/write a `.todolist/` path — an omission in the manifest (transparency gap).
Instruction Scope
SKILL.md explicitly instructs the agent to scan, read, and write files under a `.todolist/` directory, recover interrupted tasks, and leave completed files in place. Those filesystem operations are outside the registry metadata's declared scope (no config paths), and the instructions do not require user confirmation for creating/writing files nor clarify exact filesystem location (relative path ambiguity). This is a scope/information-disclosure concern because persisted plans could inadvertently include sensitive context.
Install Mechanism
Instruction-only skill with no install spec or external downloads — lowest installation risk. There is no code to execute or remote fetch indicated in the package.
Credentials
The skill requests no environment variables or credentials. There are no declared secrets requested, which is proportional to a planning/meta skill.
Persistence & Privilege
The skill will create and maintain persistent files (`.todolist/YYYYMMDD-{task-name}.md`) and expressly instructs leaving completed files in place. It does not request elevated privileges or 'always: true', and it does not modify other skills. Nonetheless, persistent on-disk state is a behavioral privilege the user should be comfortable with.
What to consider before installing
What to consider before installing/using this skill:
- Understand and approve on-disk persistence: the skill will create and update files under a `.todolist/` directory (relative path). Confirm where that directory will be created in your environment and whether you want agent-written files kept by default.
- Expect persistent state: completed task files are left in place. Review these files for sensitive content (plans may include inferred assumptions or snippets of user-provided context) and make a policy for deletion/archiving if desired.
- Metadata omission: the registry did not declare the `.todolist/` config path. Ask the publisher (or your platform admin) to update the manifest to declare the path and clarify exact location and file format.
- Limit exposure: if you are concerned, run the agent with restricted filesystem access (or in an ephemeral/sandboxed environment), or instruct the agent to persist plans only to a user-approved directory each time.
- Review included templates: the references/task-types.md content is benign and helps the planner; still check that templates do not cause the agent to pull data from unexpected sources.
- Provenance/privacy: the skill source and homepage are unknown. Prefer skills with transparent source repos or vendors. If you proceed, monitor the created files the first few times to ensure no unexpected data is written or exfiltrated.
If you want this skill but not on-disk persistence, ask it (or request an updated manifest) to: use an explicit user-specified path, require explicit confirmation before writing files, or operate purely in-memory and output plans only in the conversation.Like a lobster shell, security has layers — review code before you run it.
cnvk975k8an1d55zrkp28vhatw82183pbwelatestvk97260jv8e5j91t4pgw6c62bz983pqv4
License
MIT-0
Free to use, modify, and redistribute. No attribution required.